Detecting anomalous events through application of anomaly detection models

ABSTRACT

According to examples, an apparatus may include a processor and a memory on which is stored machine-readable instructions that when executed by the processor, may cause the processor to access a plurality of features pertaining to an event, apply an anomaly detection model on the accessed plurality of features, in which the anomaly detection model may output a reconstruction of the accessed plurality of features. The processor may calculate a reconstruction error of the reconstruction, determine whether a combination of the plurality of features is anomalous based on the calculated reconstruction error, and based on a determination that the combination of the plurality of features is anomalous, output a notification that the event is anomalous.

BACKGROUND

Networked computing devices may generate and send data pertaining tovarious transactions or events to servers for logging and analysis.Organizations with large numbers of networked computing devices maygenerate large amounts of such data. The data may be analyzed todetermine whether the computing devices may have been compromised.

BRIEF DESCRIPTION OF DRAWINGS

Features of the present disclosure are illustrated by way of example andnot limited in the following figure(s), in which like numerals indicatelike elements, in which:

FIG. 1 shows a block diagram of a network environment, in which anapparatus may determine whether features pertaining to an event areanomalous and to output a notification based on a determination that thefeatures are anomalous in accordance with an embodiment of the presentdisclosure;

FIG. 2 depicts a block diagram of the apparatus depicted in FIG. 1 , inaccordance with an embodiment of the present disclosure;

FIGS. 3 and 4A-4B, respectively, depict flow diagrams of methods fordetermining whether features pertaining to an event are anomalous and tooutput a notification based on a determination that the features areanomalous, in accordance with an embodiment of the present disclosure;and

FIG. 5 shows a block diagram of a computer-readable medium that may havestored thereon computer-readable instructions for determining whetherfeatures pertaining to an interaction event are anomalous and to outputa notification based on a determination that the features are anomalous,in accordance with an embodiment of the present disclosure.

DETAILED DESCRIPTION

For simplicity and illustrative purposes, the principles of the presentdisclosure are described by referring mainly to embodiments and examplesthereof. In the following description, numerous specific details are setforth in order to provide an understanding of the embodiments andexamples. It will be apparent, however, to one of ordinary skill in theart, that the embodiments and examples may be practiced withoutlimitation to these specific details. In some instances, well knownmethods and/or structures have not been described in detail so as not tounnecessarily obscure the description of the embodiments and examples.Furthermore, the embodiments and examples may be used together invarious combinations.

Throughout the present disclosure, the terms “a” and “an” are intendedto denote at least one of a particular element. As used herein, the term“includes” means includes but not limited to, the term “including” meansincluding but not limited to. The term “based on” means based at leastin part on.

Disclosed herein are apparatuses, methods, and computer-readable mediain which a processor may determine whether features pertaining to anevent are anomalous based on outputs from an anomaly detection model.The event may be, for instance, an interaction event with a computingdevice such as a log in attempt, a failed log in attempt, and/or thelike. The features pertaining to the event may be other data, eventsand/or actions that may correspond to the event, such as, datapertaining to a geographic location at which the event occurred, an IPaddress of the computing device on which the event occurred, and/or thelike. In some examples, the anomaly detection model may be trained usingnormal interaction data that may have been provided by personnel havingcyber security expertise and thus, the anomaly detection model may havebeen trained using accurate training data.

According to examples, the anomaly detection model may be an artificialneural network such as an autoencoder that may use training data tolearn codings of data. For instance, the anomaly detection model mayinclude an encoder that may encode the inputted features into latentdata (hidden layer) and a decoder that may output a reconstruction ofthe features from the latent data. The decoder may take a latentrepresentation of the features as an input to reconstruct the features.The processor may determine that the features are anomalous when, forinstance, there are differences between the reconstructed features andthe input features. The processor may also identify which of thefeatures are anomalous through a determination of relativereconstruction errors of the reconstructed features.

The processor may, based on a determination that the features areanomalous, output a notification that the event is anomalous. In someexamples, the processor may identify the anomalous features and mayoutput identifications of the anomalous features. As a result, ananalyst may determine both that an event is anomalous and the cause forthe event being determined to be anomalous.

As the collected amount of event-related data increases, the detectionof anomalous events may become increasingly difficult and may result ingreater numbers of false positive indications. In addition, when modelsthat have been trained using inaccurate training data are employed todetect anomalous events, anomalous events may be overlooked and/orevents that are normal may be identified as being anomalous. Throughimplementation of the present disclosure, anomalous events mayaccurately be detected through application of accurately trained anomalydetection models on the features pertaining to an event. In addition,instead of analyzing the event itself, features pertaining to the eventmay be analyzed to determine whether a combination of the featuresindicates that the event is anomalous, which may also result in moreaccurate determinations of anomalous events. Moreover, the features thatare anomalous may be identified and identifications of those featuresmay be outputted such that, for instance, analysts may determine causesof the events being determined to be anomalous. Technical improvementsafforded through implementation of the present disclosure may thusinclude improved anomalous event detection, reduced false positivedetections, improved anomaly causation detection, and/or the like, whichmay improve security across networked computing devices.

Reference is first made to FIGS. 1 and 2 . FIG. 1 shows a block diagramof a network environment 100, in which an apparatus 102 may determinewhether features 132 pertaining to an event 122 are anomalous and tooutput a notification 150 based on a determination that the features 132are anomalous, in accordance with an embodiment of the presentdisclosure. FIG. 2 depicts a block diagram of the apparatus 102 depictedin FIG. 1 , in accordance with an embodiment of the present disclosure.It should be understood that the network environment 100 and theapparatuses 102 may include additional features and that some of thefeatures described herein may be removed and/or modified withoutdeparting from the scopes of the network environment 100 and/or theapparatuses 102.

As shown in FIG. 1 , the network environment 100 may include theapparatus 102 and a computing device 120. The apparatus 102 may be acomputing device, such as a server, a desktop computer, a laptopcomputer, and/or the like. The computing device 120 may be a laptopcomputing device, a desktop computing device, a tablet computer, asmartphone, and/or the like. The computing device 120 may communicatewith a server 130, in which the server 130 may be remote from thecomputing device 120. In some examples, the apparatus 102 may be acomputing device that an administrator, IT personnel, and/or the like,may access in, for instance, managing operations of the server 130. Byway of particular example, the apparatus 102 may be a server of a cloudservices provider. It should be understood that a single apparatus 102,a single computing device 120, and a single server 130 have beendepicted in FIG. 1 for purposes of simplicity. Accordingly, the networkenvironment 100 depicted in FIG. 1 may include any number of apparatuses102, computing devices 120, and/or servers 130 without departing from ascope of the network environment 100.

The computing device 120 may communicate with the server 130 to, forinstance, send data pertaining to events 122 to the server 130. As shownin FIG. 1 , the computing device 120 may communicate with the server 130via a network 140, which may be a local area network, a wide areanetwork, the Internet, and/or the like. In some examples, the computingdevice 120 may be assigned to a particular account, for instance, aparticular user account.

The events 122, which are also referenced herein as interaction events122, may include events within a set of predefined events, such as auser interaction in which the user logs into the computing device 120, auser interaction in which the user enters an incorrect credential inattempting to log into the computing device 120, a user interaction inwhich the user attempts to make an administrative change on thecomputing device 120, a user interaction in which the user attempts toaccess another computing device through the computing device 120, and/orthe like. The predefined events may be user-defined, for instance, by anadministrator, an IT personnel, and/or the like, and the computingdevice 120 in the instructed to gather and output data pertaining to theevents within the set of predefined events. In some examples, thecomputing device 120 may generate the data each time such an event 122is determined to have occurred on the computing device 120. In addition,the computing device 120 may send the data pertaining to the events 122to the server 130 as the data is generated or may send the data asbatches at certain times.

The server 130 may determine features 132 pertaining to an event 122received from the computing device 120. The features 132 pertaining tothe event 122 may include data directly corresponding to the event 122and data indirectly corresponding to the event 122. The data directlycorresponding to the event 122 may include data pertaining to any of theuser interactions discussed above, e.g., incorrect entry of usercredentials. The data indirectly corresponding to the event 122 mayinclude data that may be peripheral to the event 122. Examples of theindirect data may include an IP address of the computing device 120, ageographic location of the computing device 120, a geographic locationof a user account corresponding to the event 122, normal work hours ofan account owner, IP addresses of gateways through which the computingdevice 120 normally communicates, IP addresses of servers with which thecomputing device 120 normally communicates, and/or the like. Additionalexamples of the indirect data may include whether the user's peers havecommitted this action in the past, e.g., whether they have accessed thatresource, connected from a specific country, and/or the like, whetherthe resource and/or the country is popular in the organization, and/orthe like.

The server 130 may determine the features 132 through any of a number ofsuitable manners. For instance, the server 130 may access one or morelogs that may include the indirect data to determine the features 132.The server 130 may also or alternatively, access other sources ofinformation for the features 132, such as other servers, databases, userinputs, and/or the like.

As also shown in FIG. 1 , the server 130 may communicate the determinedfeatures 132 to the apparatus 102 via the network 140. In someinstances, the features 132 may be construed as low fidelity signalsbecause the features 132 pertaining to the event 122, which may includedata pertaining to the event 122, themselves may not be construed asbeing anomalous. In other words, an analyst analyzing the features 132alone may not determine that the features 132 are anomalous.

As shown in FIGS. 1 and 2 , the apparatus 102 may include a processor104 that may control operations of the apparatus 102. The apparatus 102may also include a memory 106 on which data that the processor 104 mayaccess and/or may execute may be stored. The processor 104 may be asemiconductor-based microprocessor, a central processing unit (CPU), anapplication specific integrated circuit (ASIC), a field-programmablegate array (FPGA), and/or other hardware device. The memory 106, whichmay also be termed a computer readable medium, may be, for example, aRandom Access memory (RAM), an Electrically Erasable ProgrammableRead-Only Memory (EEPROM), a storage device, or the like. The memory 106may be a non-transitory computer readable storage medium, where the term“non-transitory” does not encompass transitory propagating signals. Inany regard, the memory 106 may have stored thereon machine-readableinstructions that the processor 104 may execute.

Although the apparatus 102 is depicted as having a single processor 104,it should be understood that the apparatus 102 may include additionalprocessors and/or cores without departing from a scope of the apparatus102. In this regard, references to a single processor 104 as well as toa single memory 106 may be understood to additionally or alternativelypertain to multiple processors 104 and multiple memories 106. Inaddition, or alternatively, the processor 104 and the memory 106 may beintegrated into a single component, e.g., an integrated circuit on whichboth the processor 104 and the memory 106 may be provided. In addition,or alternatively, the operations described herein as being performed bythe processor 104 may be distributed across multiple apparatuses 102and/or multiple processors 104.

As shown in FIG. 2 , the memory 106 may have stored thereonmachine-readable instructions 200-216 that the processor 104 mayexecute. Although the instructions 200-216 are described herein as beingstored on the memory 106 and may thus include a set of machine-readableinstructions, the apparatus 102 may include hardware logic blocks thatmay perform functions similar to the instructions 200-216. For instance,the processor 104 may include hardware components that may execute theinstructions 200-216. In other examples, the apparatus 102 may include acombination of instructions and hardware logic blocks to implement orexecute functions corresponding to the instructions 200-216. In any ofthese examples, the processor 104 may implement the hardware logicblocks and/or execute the instructions 200-216. As discussed herein, theapparatus 102 may also include additional instructions and/or hardwarelogic blocks such that the processor 104 may execute operations inaddition to or in place of those discussed above with respect to FIG. 2.

The processor 104 may execute the instructions 200 to access a pluralityof features 132 pertaining to an event 122. As discussed herein, theprocessor 104 may receive the features 132 from the server 130. Theprocessor 104 may also store the received features 132 in a data store108, which may be a Random Access memory (RAM), an Electrically ErasableProgrammable Read-Only Memory (EEPROM), a storage device, or the like.The processor 104 may access the features 132 from the data store 108.In other examples, the processor 104 may stream the features 132 fromthe server 130.

The processor 104 may execute the instructions 202 to apply an anomalydetection model 110 on the accessed plurality of features 132. Theanomaly detection model 110 may output a reconstruction of the accessedplurality of features 132. By way of particular example, the anomalydetection model 110 may be an artificial neural network such asautoencoder that may use training data to learn codings of data. Forinstance, the anomaly detection model 110 may include an encoder thatmay encode the features 132 into latent data (hidden layer) and adecoder that may output a reconstruction of the features 132 from thelatent data. The decoder may take a latent representation of thefeatures 132 as an input to reconstruct the features 132.

The anomaly detection model 110 maybe trained using training datacollected from, for instance, personnel with cyber security expertisewithin an organization. The anomaly detection model 110 may learn thelatent representation of the training data. According to examples, thepersonnel with the cyber security expertise may provide the trainingdata through a portal or in any other suitable manner. In addition, theprocessor 104 or a processor of another computing device may train theanomaly detection model 110. In one regard, the anomaly detection model110 may accurately model normal activities of the features through useof the accurate training data. The normal activities may be thoseactivities that are known to not be associated with malicious behavior,for instance.

As noted herein, application of the anomaly detection model 110 mayresult in an output of a reconstruction of the features 132. Theprocessor 104 may execute the instructions 204 to calculate areconstruction error of the reconstruction. That is, the processor 104may calculate a difference between the reconstruction of the features132 and the inputted version of the features 132, in which thedifference may correspond to the reconstruction error. According toexamples, the input features 132 may be represented by the vector valueX, in which X=[x₁, x₂, x₃ . . . x_(n)]. The input features 132 may befeatures that may have been collected during a predetermined timeperiod. The predetermined time period may be user-defined and may be,for instance, hours, days, weeks, etc. In addition, the processor 104may calculate the vector value X per account. The output features in thereconstruction may be represented as a vector d(e(x))=[{circumflex over(x)}₁, {circumflex over (x)}₂, {circumflex over (x)}₃ . . . {circumflexover (x)}_(n)].

By way of example, the processor 104 may calculate the reconstructionerror as:

Reconstruction error=|x _(i) −{circumflex over (x)} _(i)|  Equation (1):

In Equation (1), x_(i) may represent the input features 132 and{circumflex over (x)}_(i) may represent the reconstruction of thefeatures 132.

The processor 104 may execute the instructions 206 to determine whethera combination of the plurality of features 132 is anomalous based on thecalculated reconstruction error. For instance, the processor 104 maydetermine that a combination of the features 132 is anomalous when thereis a reconstruction error, e.g., when the reconstruction error isgreater than zero. As other examples, the processor 104 may determinewhether the reconstruction error exceeds a predefined value and maydetermine that a combination of the features 132 is anomalous based onthe reconstruction error exceeding the predefined value. The predefinedvalue may be user-defined, may be based on an accuracy of the anomalydetection model 110, and/or the like.

According to examples, the processor 104 may calculate an anomaly scorefrom the calculated reconstruction error. For instance, the processor104 may calculate the anomaly score as a mean squared error according tothe following equation:

$\begin{matrix}{{{Anomaly}{score}} = {\frac{1}{n} \times {\sum_{\overset{˙}{i} = 1}^{n}\left( {x_{i} - {\overset{\hat{}}{x}}_{i}} \right)^{2}}}} & {{Equation}(2)}\end{matrix}$

The processor 104 may also determine whether the anomaly score exceeds apredefined value, which may be user defined. In addition, based on adetermination that the anomaly score exceeds the predefined value, theprocessor 104 may determine that an account associated with the event122 is likely compromised. The account associated with the event 122 maybe a user account that was used to access the computing device 120.

According to examples, the processor 104 may calculate a plurality ofanomaly scores from the calculated reconstruction error over windows oftime, e.g., a certain number of hours, a certain number of days, etc. Inaddition, the processor 104 may determine an account score for a timewindow in the windows of time, determine whether the account scoreexceeds a predefined score, and based on a determination that theaccount score exceeds the predefined score, determine that an accountassociated with the event is likely compromised.

The processor 104 may execute the instructions 208 to, based on adetermination that the combination of the plurality of features 132 isanomalous, output a notification 150 that the event 122 is anomalous.The processor 104 may also output the notification 150 to indicate thatthe account associated with the event is likely compromised. Theprocessor 104 may output the notification 150 to an administrator of anorganization within which a user of the computing device 120 may be amember. In addition, or alternatively, the processor 104 may output thenotification 150 to an administrator, IT personnel, analyst, and/or thelike, such that the event 122 may be further analyzed to determinewhether the event 122 is potentially malicious.

According to examples, the processor 104 may execute the instructions210 to identify one or more anomalous features 132. For instance, theanomaly detection model 110 may output a reconstruction for each of thefeatures 132 in the plurality of features and the processor 104 maycalculate respective reconstruction error values of the features 132from the respective reconstructions. According to examples, theprocessor 104 may calculate relative reconstruction errors of each ofthe features according to the following equation:

$\begin{matrix}{{{Relative}{reconstruction}{error}} = {❘\frac{\left( {x_{i} - {\overset{\hat{}}{x}}_{i}} \right)}{x_{i}}❘}} & {{Equation}(3)}\end{matrix}$

In addition, the processor 104 may identify a feature of the pluralityof features 132 that is anomalous based on the calculated reconstructionerror values. For instance, the processor 104 may identify the features132 having reconstruction error values (e.g., relative reconstructionerrors) that are greater than a predefined value, e.g., greater thanzero. In some instances, the processor 104 may identify a set of thefeatures that are anomalous based on the calculated reconstruction errorvalues, in which the set of the features corresponds to a predefinednumber of anomalous features. The predefined number of anomalousfeatures may be user defined and may correspond to, for instance, thethree or five features having the greatest reconstruction error values.

The processor 104 may also execute the instructions 212 to output anidentification of the identified feature or identifications of theidentified features. In this regard, the processor 104 may output theidentifications of the features that are deemed to be anomalous, whichan analyst may use to determine a justification for the determinationthat the event 122 is anomalous.

By way of particular example, the event 122 may be a log in attempt ontoa user account through the computing device 120 and a feature 132 may bea geographic location of the computing device 120 when the log inattempt occurred. In this example, the reconstruction of the feature 132outputted by the anomaly detection model 110 may differ from the feature132 in instances in which the geographic location of the computingdevice 120 is abnormal. For instance, a normal geographic location ofthe computing device 120 may be the United States and thus, if thegeographic location is Germany, the processor 104 may determine that thefeature 132 and thus, the event 122, is anomalous.

Various manners in which the processor 104 of the apparatus 102 mayoperate are discussed in greater detail with respect to the methods 300and 400 depicted in FIGS. 3 and 4 . Particularly, FIGS. 3 and 4A-4B,respectively, depict flow diagrams of methods 300, 400 for determiningwhether features 132 pertaining to an event 122 are anomalous and tooutput a notification 150 based on a determination that the features 132are anomalous, in accordance with an embodiment of the presentdisclosure. It should be understood that the methods 300 and 400 mayinclude additional operations and that some of the operations describedtherein may be removed and/or modified without departing from the scopesof the methods 300 and 400. The descriptions of the methods 300 and 400are made with reference to the features depicted in FIGS. 1 and 2 forpurposes of illustration.

With reference first to FIG. 3 , at block 302, the processor 104 mayaccess a plurality of features 132 pertaining to an interaction event122 on a computing device 120. As discussed herein, a server 130 maydetermine the features 132 pertaining to the interaction event 122 andmay communicate the determined features 132 to the apparatus 102. Theprocessor 104 may store the features 132 in a data store 108 and mayaccess the features 132 from the data store 108.

At block 304, the processor 104 may apply an anomaly detection model 110on the accessed plurality of features 132. As discussed herein, theanomaly detection model 110 may encode the plurality of features 132into latent data and may output a reconstruction of the plurality offeatures 132 from the latent data.

At block 306, the processor 104 may calculate a reconstruction errorbased on a difference between the reconstruction of the plurality offeatures 132 and the plurality of features 132. At block 308, theprocessor 104 may determine whether at least one of the plurality offeatures 132 is anomalous based on the calculated reconstruction error.For instance, the processor 104 may determine whether one or more of thereconstructions of the features 132 are different from the respectivefeatures 132. The processor 104 may determine that a feature isanomalous based on the reconstruction of the feature being differentfrom the feature.

Based on a determination that none of the features are anomalous atblock 308, the processor 104 may repeat blocks 302-308 on another set offeatures 132. However, based on a determination that at least one of theplurality of features is anomalous, at block 310, the processor 104 mayoutput a notification that the interaction event 122 is anomalous.

With reference now to FIGS. 4A-4B, at block 402, the processor 104 maytrain an anomaly detection model 110 with training data corresponding tonormal activities of the features 132. The training data may be datacollected from cyber security experts.

At block 404, the processor 104 may access a plurality of features 132pertaining to an interaction event 122 on a computing device 120. Atblock 406, the processor 104 may apply the anomaly detection model 110on the accessed plurality of features 132, in which the anomalydetection model 110 may encode the plurality of features 132 into latentdata and may output a one or more reconstructions of the plurality offeatures 132 from the latent data. At block 408, the processor 104 maycalculate one or more reconstruction errors based on one or moredifferences between the reconstructions of the plurality of features andthe plurality of features 132.

At block 410, the processor 104 may determine whether at least one ofthe plurality of features 132 is anomalous based on the calculatedreconstruction errors. Based on a determination that none of thefeatures 132 are anomalous, the processor 104 may repeat blocks 404-410on another set of features 132. However, based on a determination thatat least one of the features 132 is anomalous, the processor 104 may, atblock 412, output a notification 150 that the interaction event 122 isanomalous.

At block 414, the processor 104 may identify one or more anomalousfeatures 132. As discussed herein, the processor 104 may identify theone or more anomalous features 132 based on relative reconstructionerrors of the features. In addition, at block 416, the processor 104 mayoutput an identification of the identified anomalous features.

According to examples, at block 418, the processor 104 may calculate oneor more anomaly scores from the calculated reconstruction error(s). forinstance, the processor 104 may calculate a plurality of anomaly scoresfrom the calculated reconstruction errors over windows of time. Theprocessor 104 may also, at block 420, determine an account associatedwith the interaction event 122.

In some examples, at block 422, the processor 104 may determine anaccount score for a time window in the windows of time. At block 424,the processor 104 may determine whether the account score exceeds apredefined score and/or the anomaly score exceeds a predefined score.Based on the account score not exceeding the predefined score and/or theanomaly score not exceeding the predefined score, the processor 104 mayrepeat blocks 404-424 on another set of features 132. However, based ona determination that the account score exceeds the predefined scoreand/or the anomaly score exceeds the predefined score, at block 426, theprocessor 104 may determine that an account associated with theinteraction event 122 is likely compromised. In addition, at block 428,the processor 104 may output an indication that the account associatedwith the interaction event 122 is likely compromised.

Some or all of the operations set forth in the methods 300, 400 may beincluded as utilities, programs, or subprograms, in any desired computeraccessible medium. In addition, the methods 300, 400 may be embodied bycomputer programs, which may exist in a variety of forms both active andinactive. For example, they may exist as machine-readable instructions,including source code, object code, executable code or other formats.Any of the above may be embodied on a non-transitory computer readablestorage medium.

Examples of non-transitory computer readable storage media includecomputer system RAM, ROM, EPROM, EEPROM, and magnetic or optical disksor tapes. It is therefore to be understood that any electronic devicecapable of executing the above-described functions may perform thosefunctions enumerated above.

Turning now to FIG. 5 , there is shown a block diagram of acomputer-readable medium 500 that may have stored thereoncomputer-readable instructions for determining whether features 132pertaining to an interaction event 122 are anomalous and to output anotification 150 based on a determination that the features 132 areanomalous, in accordance with an embodiment of the present disclosure.It should be understood that the computer-readable medium 500 depictedin FIG. 5 may include additional instructions and that some of theinstructions described herein may be removed and/or modified withoutdeparting from the scope of the computer-readable medium 500 disclosedherein. The computer-readable medium 500 may be a non-transitorycomputer-readable medium, in which the term “non-transitory” does notencompass transitory propagating signals.

The computer-readable medium 500 may have stored thereoncomputer-readable instructions 502-518 that a processor, such as aprocessor 104 of the apparatus 102 depicted in FIGS. 1 and 2 , mayexecute. The computer-readable medium 500 may be an electronic,magnetic, optical, or other physical storage device that contains orstores executable instructions. The computer-readable medium 500 may be,for example, Random Access memory (RAM), an Electrically ErasableProgrammable Read-Only Memory (EEPROM), a storage device, an opticaldisc, and the like.

The processor may fetch, decode, and execute the instructions 502 toaccess a plurality of features 132 pertaining to an interaction event122 on a computing device 120. The processor may fetch, decode, andexecute the instructions 504 to apply an anomaly detection model on theaccessed plurality of features 132, in which the anomaly detection model110 may encode the plurality of features 132 into latent data and outputa reconstruction of the plurality of features from the latent data. Theprocessor may fetch, decode, and execute the instructions 506 tocalculate a reconstruction error based on a difference between thereconstruction of the plurality of features and the plurality offeatures 132. The processor may fetch, decode, and execute theinstructions 508 to determine whether at least one of the plurality offeatures 132 is anomalous based on the calculated reconstruction error.In addition, the processor The processor may fetch, decode, and executethe instructions 510, based on a determination that at least one of theplurality of features 132 is anomalous, output a notification 150 thatthe interaction event 122 is anomalous.

As discussed herein, the anomaly detection model 110 may output areconstruction for each of the features in the plurality of features. Inaddition, the processor may fetch, decode, and execute the instructions512 to identify anomalous features. For instance, the processor maycalculate respective reconstruction error values of the features fromthe respective reconstructions and may identify a feature of theplurality of features that is anomalous based on the calculatedreconstruction error values. The processor may fetch, decode, andexecute the instructions 514 to output an identification of theidentified feature.

According to examples, the processor may fetch, decode, and execute theinstructions 516 to determine whether an account is likely compromised.For instance, the processor may calculate an anomaly score from thecalculated reconstruction error, determine whether the anomaly scoreexceeds a predefined value, and based on a determination that theanomaly score exceeds the predefined value, determine that an accountassociated with the event is likely compromised. In addition, oralternatively, the processor may calculate a plurality of anomaly scoresfrom the calculated reconstruction error over windows of time, determinean account score for a time window in the windows of time, determinewhether the account score exceeds a predefined score, and based on adetermination that the account score exceeds the predefined score,determine that an account associated with the event is likelycompromised. The processor may also fetch, decode, and execute theinstructions 518 to output an indication that the account is likelycompromised.

Although described specifically throughout the entirety of the instantdisclosure, representative examples of the present disclosure haveutility over a wide range of applications, and the above discussion isnot intended and should not be construed to be limiting, but is offeredas an illustrative discussion of aspects of the disclosure.

What has been described and illustrated herein is an example of thedisclosure along with some of its variations. The terms, descriptionsand figures used herein are set forth by way of illustration only andare not meant as limitations. Many variations are possible within thescope of the disclosure, which is intended to be defined by thefollowing claims—and their equivalents—in which all terms are meant intheir broadest reasonable sense unless otherwise indicated.

What is claimed is:
 1. An apparatus comprising: a processor; and amemory on which is stored machine-readable instructions that whenexecuted by the processor, cause the processor to: access a plurality offeatures pertaining to an event; apply an anomaly detection model on theaccessed plurality of features, wherein the anomaly detection model isto output a reconstruction of the accessed plurality of features;calculate a reconstruction error of the reconstruction; determinewhether a combination of the plurality of features is anomalous based onthe calculated reconstruction error; and based on a determination thatthe combination of the plurality of features is anomalous, output anotification that the event is anomalous.
 2. The apparatus of claim 1,wherein the anomaly detection model is to output a reconstruction foreach of the features in the plurality of features and wherein theinstructions cause the processor to: calculate respective reconstructionerror values of the features from the respective reconstructions;identify a feature of the plurality of features that is anomalous basedon the calculated reconstruction error values; and output anidentification of the identified feature.
 3. The apparatus of claim 1,wherein the anomaly detection model is to output a reconstruction foreach of the features in the plurality of features and wherein theinstructions cause the processor to: calculate respective reconstructionerror values of the features from the respective reconstructions;identify a set of the features that are anomalous based on thecalculated reconstruction error values, wherein the set of the featurescorresponds to a predefined number of anomalous features; and outputidentifications of the identified set of the features.
 4. The apparatusof claim 1, wherein the plurality of features pertaining to the eventcomprise data directly corresponding to the event and data indirectlycorresponding to the event.
 5. The apparatus of claim 1, wherein theplurality of features correspond to data collected during apredetermined period of time.
 6. The apparatus of claim 1, wherein theinstructions cause the processor to: calculate an anomaly score from thecalculated reconstruction error; determine whether the anomaly scoreexceeds a predefined value; and based on a determination that theanomaly score exceeds the predefined value, determine that an accountassociated with the event is likely compromised.
 7. The apparatus ofclaim 6, wherein the instructions cause the processor to: calculate amean square error of the calculated reconstruction error to calculatethe anomaly score.
 8. The apparatus of claim 1, wherein the instructionscause the processor to: calculate a plurality of anomaly scores from thecalculated reconstruction error over windows of time; determine anaccount score for a time window in the windows of time; determinewhether the account score exceeds a predefined score; and based on adetermination that the account score exceeds the predefined score,determine that an account associated with the event is likelycompromised.
 9. The apparatus of claim 1, wherein the instructions causethe processor to: train the anomaly detection model with training datacorresponding to normal activities of the features.
 10. A methodcomprising: accessing, by a processor, a plurality of featurespertaining to an interaction event on a computing device; applying, bythe processor, an anomaly detection model on the accessed plurality offeatures, wherein the anomaly detection model is to encode the pluralityof features into latent data and to output a reconstruction of theplurality of features from the latent data; calculating, by theprocessor, a reconstruction error based on a difference between thereconstruction of the plurality of features and the plurality offeatures; determining, by the processor, whether at least one of theplurality of features is anomalous based on the calculatedreconstruction error; and based on a determination that at least one ofthe plurality of features is anomalous, outputting a notification thatthe interaction event is anomalous.
 11. The method of claim 10, whereinthe anomaly detection model is to output a reconstruction for each ofthe features in the plurality of features, the method furthercomprising: calculating respective reconstruction error values of thefeatures from the respective reconstructions; identifying a feature ofthe plurality of features that is anomalous based on the calculatedreconstruction error values; and outputting an identification of theidentified feature.
 12. The method of claim 10, wherein the anomalydetection model is to output a reconstruction for each of the featuresin the plurality of features, the method further comprising: calculatingrespective reconstruction error values of the features from therespective reconstructions; identifying a set of the features that areanomalous based on the calculated reconstruction error values, whereinthe set of the features corresponds to a predefined number of anomalousfeatures; and outputting identifications of the identified set of thefeatures.
 13. The method of claim 10, further comprising: calculating ananomaly score from the calculated reconstruction error; determiningwhether the anomaly score exceeds a predefined value; and based on adetermination that the anomaly score exceeds the predefined value,determining that an account associated with the interaction event islikely compromised.
 14. The method of claim 10, further comprising:calculating a plurality of anomaly scores from the calculatedreconstruction errors over windows of time; determining an account scorefor a time window in the windows of time; determining whether theaccount score exceeds a predefined score; and based on a determinationthat the account score exceeds the predefined score, determining that anaccount associated with the event is likely compromised.
 15. The methodof claim 10, further comprising: training the anomaly detection modelwith training data corresponding to normal activities of the features.16. The method of claim 10, wherein the plurality of features pertainingto the event comprise data directly corresponding to the event and dataindirectly corresponding to the event.
 17. A computer-readable medium onwhich is stored computer-readable instructions that when executed by aprocessor, cause the processor to: access a plurality of featurespertaining to an interaction event on a computing device; apply ananomaly detection model on the accessed plurality of features, whereinthe anomaly detection model is to encode the plurality of features intolatent data and to output a reconstruction of the plurality of featuresfrom the latent data; calculate a reconstruction error based on adifference between the reconstruction of the plurality of features andthe plurality of features; determine whether at least one of theplurality of features is anomalous based on the calculatedreconstruction error; and based on a determination that at least one ofthe plurality of features is anomalous, output a notification that theinteraction event is anomalous.
 18. The computer-readable medium ofclaim 17, wherein the anomaly detection model is to output areconstruction for each of the features in the plurality of features,and wherein the instructions further cause the processor to: calculaterespective reconstruction error values of the features from therespective reconstructions; identify a feature of the plurality offeatures that is anomalous based on the calculated reconstruction errorvalues; and output an identification of the identified feature.
 19. Thecomputer-readable medium of claim 17, wherein the instructions furthercause the processor to: calculate an anomaly score from the calculatedreconstruction error; determine whether the anomaly score exceeds apredefined value; and based on a determination that the anomaly scoreexceeds the predefined value, determine that an account associated withthe event is likely compromised.
 20. The computer-readable medium ofclaim 17, wherein the instructions further cause the processor to:calculate a plurality of anomaly scores from the calculatedreconstruction error over windows of time; determine an account scorefor a time window in the windows of time; determine whether the accountscore exceeds a predefined score; and based on a determination that theaccount score exceeds the predefined score, determine that an accountassociated with the event is likely compromised.